This guide is written for people that just want a personal firewall running on their workstations. You might be running Gentoo at work, and would like some protection from a crazy co-worker. Or, you might like some added protection on your internal servers.

I enabled all the options as modules (in case I want to test other options later) and added ip_tables to my modules.autoload. This loads several modules as dependencies. Later you may want the ip_conntrack for logging. Don't forget to "modprobe ip_tables" before running scripts

Necessary Utilities
Next you must emerge the userland tools for cofiguring iptables:

Code:

emerge iptables

Scripting
Now to the fun part.....iptables. We going to simply allow everything out, and nothing in. Create a file (vi or nano my-rules, or whatever name your script), and put this in there:

The reason we start, than stop, than start again is because we haven't yet started the iptables script...so we must set the initialized status before stopping. Stopping essentially erases all settings and puts you back to zero. Restarting will show you whether your network will still work after rebooting. Assuming success, we add iptables to our default runlevel:

Code:

rc-update add iptables default

That should be the end of it. Now if you want to add SSH, you can add this to your script:

I'm really only interested in people trying to ssh to my wrokstation, or probing for services. I used "-p tcp" to rule out UDP packets. I used "-d x.x.x.x" (where x.x.x.x is my IP address) because I'm only interested in packets destined for my machine.

_________________The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king

true that is actually alot better!!
However, I am now getting this occuring again:

https://forums.gentoo.org/viewtopic.php?t=289426_________________The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king

Will I pass? (get all stealth ports - i.e., the computer does not respond to any requests for access to any port - neither denies nor accepts, simply is quiet and pretends there's no computer at that IP address, and certainly won't allow any connections; and also does not respond to ping requests.)

Another alternative is firestarter for those like me who even find this too daunting._________________"A million surplus Maggies are willing to bear the yoke; And a woman is only a woman, but a good cigar is a Smoke" -- Rudyard Kipling (on why he chose cigars over his wife)

i find it easier to deal with iptables directly by making my own scripts like the one in the first post here. once you get into using programs like firestarter, firehol, shorewall, or one of the other hundred programs out there you begin to lose sight of what is really going on and you then have to rely on a 3rd party program which is scrambling everything that is really going on. in order for you to make iptables work you have to edit a script for a program which in turn then interfaces with iptables for you, you have just added a middleman which is really not needed. now if something happens and you need to figure out what is really going on with your iptables rules your going to be lost, unless you can call upon your scripting program.

it is a good idea to stick with learning the iptables commands as they will be used the same across any system. whereas if you learn firehol, firestarter, etc, when you sit down or login to some remote machine and have to alter the chains your going to be stuck stratching your head asking the admin if he could please install firestarter. (yes if your allowed to look at the scripts most likely you will have root access and the ability to install firestarter).

Now, if I turn this on the WindowsXP box in the LAN stops seeing by samba shares. You can see in the code above that there are rules of exception fro the SMB ports. I guess there are other that should be left open but I missed it!

So, what ports must I leave open so that the samba clients in the LAN can acess my shares?

It says that the script allows "everything out and nothing in". But my internet still works? It doesn't seem like everything coming in is being blocked. Which part of the script is allowing things in?_________________"What goes on in life, that goes for eternity."

Will I pass? (get all stealth ports - i.e., the computer does not respond to any requests for access to any port - neither denies nor accepts, simply is quiet and pretends there's no computer at that IP address, and certainly won't allow any connections; and also does not respond to ping requests.)

Thanks!

It didn't for me.

No ports were open, 9 were stealthed and the rest were closed.

It also says I failed the test on... Solicited TCP Packets: RECEIVED (FAILED) and Ping Reply: RECEIVED (FAILED).

Can anybody post lines of code to add to the file to help pass the test or stealth all ports?

I'm sorry to ask again, but how do websites work in the original script. I thought the script blocked all incoming traffic. So how can programs such as Gaim, IRC, etc all work on my computer?_________________"What goes on in life, that goes for eternity."

Will I pass? (get all stealth ports - i.e., the computer does not respond to any requests for access to any port - neither denies nor accepts, simply is quiet and pretends there's no computer at that IP address, and certainly won't allow any connections; and also does not respond to ping requests.)

Thanks!

It didn't for me.

No ports were open, 9 were stealthed and the rest were closed.

It also says I failed the test on... Solicited TCP Packets: RECEIVED (FAILED) and Ping Reply: RECEIVED (FAILED).

Can anybody post lines of code to add to the file to help pass the test or stealth all ports?

Will I pass? (get all stealth ports - i.e., the computer does not respond to any requests for access to any port - neither denies nor accepts, simply is quiet and pretends there's no computer at that IP address, and certainly won't allow any connections; and also does not respond to ping requests.)

Thanks!

It didn't for me.

No ports were open, 9 were stealthed and the rest were closed.

It also says I failed the test on... Solicited TCP Packets: RECEIVED (FAILED) and Ping Reply: RECEIVED (FAILED).

Can anybody post lines of code to add to the file to help pass the test or stealth all ports?

I think, as much as ShieldsUp has contributed to making the net safer, and can be a useful tool, it has also engendered a certain amount of paranoia amongst certain people.

Sometimes, ports are going to be open. It's a fact. Hell, if you run any kind of external-facing server, you're going to need certain ports to be unscreened. Same with many p2p apps. What matters in these cases is making sure the software that is world-facing is as up to date and secure as it can be. A firewall is an important part of your computer security, yes, but it's only a part.

That said, does anyone know if any of the newer (multiport/multi-address) iptables stuff is any good?_________________"Every problem in the universe can be solved by finding the right long-haired prettyboy, and beating the crap out of him."